What the Internet of Things means for security

You've probably been hearing a lot lately about the Internet of Things (IoT). The IoT (see: "The IoT: A Primer" at the end of this piece), while still in the early stages of development, is slowly making its way into the mainstream as more objects become connected via technology such as radio frequency identification (RFID) and the iniquitousness of the Internet.

Regardless of how the development of the IoT plays out in the months and years to come, or what specific plans organizations have for deploying related projects, there will clearly be security implications. IT and security executives might want to start thinking about the security aspects of IoT today, even if they have no immediate plans to link objects via the Internet.

Among the key security questions are what, if any, new challenges does IoT present and how can companies best prepare to address them?

Experts say the security threats of the Internet of Things are broad and potentially even crippling to systems. Since the IoT will have critical infrastructure components, it presents a good target for national and industrial espionage, as well as denial of service and other attacks. Another major area of concern is the personal information that will potentially reside on networks, also a likely target for cyber criminals.

One thing to keep in mind when evaluating security needs is that the IoT is still very much a work in progress.

"It's not a hard step; it is more of a gradual slope," says Andrew Rose, a principal analyst at Forrester Research Inc. in Cambridge, Mass., who covers security and risk issues and authored a 2012 report entitled, "Prepare Your Security Organization for the Internet of Things."

"Many things are connected to the Internet now, and we will see an increase in this and the advent of contextual data sharing and autonomous machine actions based on that information," Rose says.

Among the key security considerations with IoT is that an object, whether it's a truck, a vending machine or a medicine bottle, will become a part of a network environment.

"The IOT is the allocation of a virtual presence to a physical object," Rose says. "As it develops, these virtual presences will begin to interact and exchange contextual information, [and] the devices will make decisions based on this contextual device. This will lead to very physical threats, around national infrastructure, possessions [for example, cars and homes], environment, power, water and food supply, etc."

As a variety of objects become part of an interconnected environment, "we have to consider that these devices have lost physical security, as they are gong to be located in inhospitable environments, instantly accessible by the individual who is most motivated to tamper with the controls," Rose says.

Attackers could potentially intercept, read or change data, Rose adds. "They could tamper with control systems and change functionality, all adding to the risk scenarios," he says.

One simple example of how network-enabled devices can become a security threat is networked printers, says Randy Marchany, CISO at Virginia Tech University and the director of Virginia Tech's IT Security Laboratory.

"Every printer comes with a built-in [Web] server. Point your browser at the device and you get a control screen/page for the device," Marchany says. "By default, most printers have a 'blank' password. You can see the problem with that right away. Yes, you can change that password but that information usually isn't in a 'read me first' page.

Another issue is ensuring that the version of the Web server running is not vulnerable to attack. "It's not an easy thing to upgrade a [Web] server running on a printer," Marchany says. "You have to usually do a firmware upgrade and for that, you're at the mercy of the vendor. So, default built-in services such as a Web server and the inability to patch/upgrade these services are two threats I think need to be addressed in today's environment."

Unique challenges

Security incidents involving IoT implementations are already occurring. "Most examples are from a lab or test environment," Rose says. "Although real examples have occurred, few are willing to assign blame to external attackers due to the concern that may cause."

Among the recent examples, one involves researchers who hacked into two cars and wirelessly disabled the brakes, turned the lights off and switched the brakes full on--"all beyond the control of the driver," Rose says. In another case, a luxury yacht was lured off course by researchers hacking the GPS signal that it was using for navigation.

"Home control hubs have been found to be vulnerable, allowing attackers to tamper with heating, lighting, power and door locks," Rose says. Other cases involve industrial control systems being hacked via their wireless network and sensors, he says.

"We are already seeing hacked TV sets and video cameras [and] child monitors that have raised privacy concerns, and even hacked power meters which to date have been used to steal electric power," adds Paul Henry, a principal at security consulting firm VNet Security LLC in Boynton Beach, Fla., and a senior instructor at the SANS Institute, a cooperative research and education organization in Bethesda, MD.

"A recent article spoke of a 'hacked light bulb,'" Henry says. "I can imagine a worm that would compromise large numbers of these Internet-connected devices and amass them in to a botnet of some kind. Remember it is not just the value or power of the device that the bad guy wants; it is the bandwidth it can access and use in a DDoS [distributed denial-of-service] attack."

The biggest concern, Henry says, is that the users of IoT devices will not regard the security of the devices they are connecting as being of great concern. "The issue is that the bandwidth of a compromised device can be used to attack a third party," he says. "Imagine a botnet of 100,000,000 IoT devices all making legitimate Web site requests on your corporate Web site at the same time."

Experts say the IoT will likely create unique and in some cases complex security challenges for organizations.

"As machines become autonomous they are able to interact with other machines and make decisions which impact upon the physical world," Rose says. "We have seen problems with automatic trading software, which can get trapped in a loop causing market drops. The systems may have failsafes built in, but these are coded by humans who are fallible, especially when they are writing code that works at the speed [and] frequency that computer programs can operate."

Security threats of the IoT can also result in widespread problems that can have an impact on a lot of people, Rose says.

"If the security of a current system fails we may see a few hundred credit card details get stolen, or a politician embarrassed--but these are not great problems," Rose says. "Imagine instead if a power system were hacked and they turned off the lights in an area of the city. No big deal perhaps for many, but for the thousands of people in the subway stations hundreds of feet underground in pitch darkness, the difference is massive. IoT allows the virtual world to interact with the physical world and that brings big safety issues."

The IoT will bring with it three "massive" security issues, says Ted Demopoulos, founder of security consulting firm Demopoulos Associates in Durham, N.H. These include a loss of privacy, a comingling of personal and company data, and discovery.

The loss of privacy will come from the ability to track the whereabouts of individuals, as well as what items they are buying or whether they are away from home. "Most of us carry cellphones 24/7 that are connecting to cell phone towers, and the data exists to track our movements today," Demopoulos says.

"Something as simple as smart electricity meters can potentially be used to tell if we are home or gone for a while, based on the volume of electricity usage, whether we are night owls or early birds and more," Demopoulos says.

As for the comingling of personal and company data, it's the same challenge that many organizations are already facing with the increased use of mobile technology in the workplace and the bring-your-own-device (BYOD) trend.

"Smartphones are everywhere, sometimes owned by the company, sometimes owned by the employee, sometimes a strange hybrid where the employee buys the phone and the company gives them money toward it," Demopoulos says.

There are technical solutions to the problem; for example, using data encryption and remote wiping of information. But this raises further issues that need to be addressed. "Can a company legally wipe the data?" Demopoulos says. "In some cases it is not clear. Technical solutions do not address legal issues here."

Discovery relates to issues such as attackers being able to remotely read an individual's passport or other identification card remotely via RFID and similar technologies. "In many cases there are technical solutions possible or in existence, but they rarely address ethical, including privacy, and legal issues," Demopoulos says.

What can be done?

While threats will always exist with the IoT as they do with other technology endeavors, it is possible to bolster the security of IoT environments using security tools such as data encryption, strong user authentication, resilient coding and standardized and tested APIs that react in a predictable manner.

Some security tools will need to be applied directly to the connected devices.

"The IoT and its cousin BYOD have the same security issues as traditional computers," Marchany says. "However, IoT devices usually don't have the capability to defend themselves and might have to rely on separate devices such as firewalls [and] intrusion detection/prevention systems. Creating a separate network segment is one option."

In fact, the lack of security tools on the devices themselves or a lack of timely security updates on the devices is what could make securing the IoT somewhat more difficult from other types of security initiatives, Marchany says.

"Physical security is probably more of an issue, since these devices are usually out in the open or in remote locations and anyone can get physical access to it," Marchany says. "Once someone has physical access to the device, the security concerns rise dramatically."

It doesn't help that vendors providing IoT technologies most likely have not designed security into their devices, Marchany says. "In the long term, IT executives should start requiring the vendors to assert [that] their products aren't vulnerable to common attacks such as those listed in the OWASP [Open Web Application Security Project] Top 10 Web Vulnerabilities," he says. IT and security executives should "require vendors to list the vulnerabilities they know exist on their devices as part of the purchase process."

But it's not just up to vendors to protect devices, experts say. IT and security executives will need to have a good handle on what types of devices are connected to the corporate network.

"To secure things on the Internet, we need to know what things we have as a first step," Demopoulos says. There are lots of ways to potentially find what is on any network, he says, including passive listening at network aggregating points, and scanning networks with automated tools that run periodically.

"This works well today, but will not in the future," Demopoulos says. "We will be living in an increasing IPv6 and IPv4 world. You cannot scan an IPv6 subnet, so this technique will not work. An IPv6 subnet is just too big. Organizations need to start planning now on how they will do device discovery in the future. The first step to securing those devices is knowing that they are there."

Security needs to be built in as the foundation of IoT systems, "and that's blatantly not happening," Rose says. "We need to place security at the most capable point in the technology chain and then subject it to rigorous validity checks, authentication, data verification, etc. In addition all the data needs to be encrypted."

At the application level, software development organizations need to be better at writing code that is stable, resilient and trustworthy, Rose says. "They can achieve some of this through better code development standards, training, threat analysis and testing," he says. "Unfortunately, they will always be dependent upon the logical layers beneath them, [for example] the hardware, virtualization layer and the operating system."

These layers need to be reviewed and hardened to ensure that the platform is secure all the way up, Rose says. "In addition, as systems interact with each other, it's essential to have an agreed interoperability standard, which is rock solid, he says. "These are the foundations upon which the IOT will be built."

The IoT: A primer

The Internet of Things (IoT) is still somewhat of a vague concept and carries a number of definitions. The IoT in general refers to an Internet-like structure that connects uniquely identifiable objects, basically anything that can be tagged with an identifying chip.

The "things" in the network take on virtual representations, and can interact with each other as well as gather data such as when and how objects are being used, their operating condition, etc.

Talk of the IoT first emerged through the work of the Auto-ID Center, a non-profit collaboration of private businesses and academic institutions that began creating of an Internet-like infrastructure that could be used to track goods around the world via radio frequency identification (RFID) tags containing Electronic Product Codes.

When the center closed in 2003, EPCGlobal was created to continue the effort to commercialize EPC technology, and the center's research continues today at Auto-ID Labs operated by universities around the world.

In addition to the use of technology such as RFID, the IoT involves Web-enabling many types of products, equipment, vehicles and buildings so that users can capture and share data about the objects. Any "thing" on the network can then become a "smart object" that is part of the Internet and plays an active role in business processes.

These smart objects can potentially include any number of devices, products and corporate assets, such as cars and trucks, vending machines, pharmaceuticals, medical devices, construction equipment and other heavy machinery, gas and electric meters, traffic lights, household appliances and many other entities.

The idea of an IoT is becoming more popular with the advent of ubiquitous connectivity, lower-cost sensors and micro electronics that allow almost anything to be connected to the Internet.

Copyright 2016 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.